Let web and API routes have different auth methods group (#19168)

* remove the global methods but create dynamiclly

* Fix lint

* Fix windows lint

* Fix windows lint

* some improvements

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

3 files changed, 58 insertions, 1 deletions

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 5ac6fba29b..3debf58a17 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -563,6 +563,26 @@ func bind(obj interface{}) http.HandlerFunc {
 	})
 }
 
+// The OAuth2 plugin is expected to be executed first, as it must ignore the user id stored
+// in the session (if there is a user id stored in session other plugins might return the user
+// object for that id).
+//
+// The Session plugin is expected to be executed second, in order to skip authentication
+// for users that have already signed in.
+func buildAuthGroup() *auth.Group {
+	group := auth.NewGroup(
+		&auth.OAuth2{},
+		&auth.Basic{},      // FIXME: this should be removed once we don't allow basic auth in API
+		auth.SharedSession, // FIXME: this should be removed once all UI don't reference API/v1, see https://github.com/go-gitea/gitea/pull/16052
+	)
+	if setting.Service.EnableReverseProxyAuth {
+		group.Add(&auth.ReverseProxy{})
+	}
+	specialAdd(group)
+
+	return group
+}
+
 // Routes registers all v1 APIs routes to web application.
 func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
 	m := web.NewRoute()
@@ -583,8 +603,13 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
 	}
 	m.Use(context.APIContexter())
 
+	group := buildAuthGroup()
+	if err := group.Init(); err != nil {
+		log.Error("Could not initialize '%s' auth method, error: %s", group.Name(), err)
+	}
+
 	// Get user from session if logged in.
-	m.Use(context.APIAuth(auth.NewGroup(auth.Methods()...)))
+	m.Use(context.APIAuth(group))
 
 	m.Use(context.ToggleAPI(&context.ToggleOptions{
 		SignInRequired: setting.Service.RequireSignInView,
diff --git a/routers/api/v1/auth.go b/routers/api/v1/auth.go
new file mode 100644
index 0000000000..359c9ec56b
--- /dev/null
+++ b/routers/api/v1/auth.go
@@ -0,0 +1,12 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+//go:build !windows
+// +build !windows
+
+package v1
+
+import auth_service "code.gitea.io/gitea/services/auth"
+
+func specialAdd(group *auth_service.Group) {}
diff --git a/routers/api/v1/auth_windows.go b/routers/api/v1/auth_windows.go
new file mode 100644
index 0000000000..d41c4bb223
--- /dev/null
+++ b/routers/api/v1/auth_windows.go
@@ -0,0 +1,20 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package v1
+
+import (
+	"code.gitea.io/gitea/models/auth"
+	auth_service "code.gitea.io/gitea/services/auth"
+)
+
+// specialAdd registers the SSPI auth method as the last method in the list.
+// The SSPI plugin is expected to be executed last, as it returns 401 status code if negotiation
+// fails (or if negotiation should continue), which would prevent other authentication methods
+// to execute at all.
+func specialAdd(group *auth_service.Group) {
+	if auth.IsSSPIEnabled() {
+		group.Add(&auth_service.SSPI{})
+	}
+}